I tried installing several different vulnerability scanners, and this one was the only one that worked right out of the box for me. The application works by scanning your game, and trying to insert hacks to see if it can perform XSS and other types of hacking, then it shows a report of the security issues in your game. By using it, I was able to find out that though I set my cookies to httponly, it wasn't working as intended, and so I was able to implement a fix which did work. It was also helpful for me to find areas where the code had short tags on the game help pages (legacy game engine that I didn't write but am updating) which were echoing code and not the intended data. In addition to finding security holes in your game, it can also expose security holes in your server set up, which is really helpful if you run your own server and have access to the server ini and config files. I'm recommending this because I think it's important for game developers to have a tool for finding and fixing security issues with their games, and this one is easy to install and use. Here's the link to the Subgraph Vega site:

I had to run it in http because for some reason I can't get the SSL certificate link to work, but it's easy to reset your browser to not use its proxy after you are done. I had the SSL problem with one of the other scanners too, but at least this one will scan without the SSL certificate on localhost, which is all I needed it for.

GameMaster wrote:Kesstryl, thanks for your reply. So you upload to your public folder like http://www.yourdomain.com/vega/ and then point your browser to it?

No, it's a separate installation, and there are instructions for getting your browser to work with the port that the application uses so the application can poke at your game. The instructions seem to work best for Firefox, and once you are done, if you can't get the SSL certificate to work, you can easily switch your browser back to its default setting so you can surf the web again. What I did was pull up my site in Firefox, then go through the changes to make Firefox listen to the port that Subraph Vega uses, and once all my scans were done, I switched Firefox back to normal. Their website has instructions for doing all of this.